Am Dienstag, 6. M?rz 2007 06:44 schrieb Volodya: > One thing that might be done is not having an increadibly secure > password protection (just secure enough), but when somebody adds > themselves via password they get added in the disabled mode, then the > person tells you "It asks me to tell you to enable me" and you do so. > If somebody intersepts the password in between and uses it, the second > person will get a request to inform you that password has been used > already, so you just go and delete the bugger who used it. > > In other words: Bring security away from the machine and to the person.
Yes, sounds reasonable at first. But how to distinguish MITM and the authorized peer? Maybe by being able to exchange p2p-messages (while in restricted mode) to verify responses in-band which can't be used by the eavesdropper. Is this possible? if you are still talking to the peer person out-of-band after untrusted initial connect, you could verify the node key fingerprints to be sure, but everything in-band shall be distrusted at this point. good byte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20070306/6af3d040/attachment.pgp>
